Slashdot Mirror
Multi-Layer Security Platforms
An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"
Considering I'm planning to go into the network security field, any other interesting/fact-filled articles or websites I should check out?
Sorry; I wasn't that impressed... the entire article read like a hard-sell pitch for all-in-one security appliances. And it turns out one of the authors is the V.P. of marketing for a company selling a range of all-in-one security appliances.
I'd actually think that everyone going the recommended route would end up in the same boat as the current monoculture of point product that they complain about. Now, instead of being compromised because we're all running the same code, we get compromised because we're all running the same security appliance, with the same flaws.
I'd actually rather see a diverse and heterogeneous set of defenses to prevent large scale compromises working against everyone, and the economy of throwing everything into a box, rather than loading a bunch of diverse software strikes me as a false one.
The same arguments that make me want to run a MacOS X box or a FreeBSD box or a Linux box instead of some other platform with well known vulnerabilities make me *not* want to run the same appliance box in front of my network that everyone else is running, too.
Maybe I'm just jaded, and have heard "best of breed" one too many times. 8-(.
-- Terry
... is still there, as it was in the good ol' times: Unplug the damn thing
--
2 cores, 2 monitors, 2 hands!
When are those duble-dick body upgrades coming out?
We've been testing a BUNCH of 'all in one' security appliances, and most are clearly running Linux, and at least one of the VERY LARGE, WELL KNOWN appliances is even missing stability updates (yes, that's right, off the shelf bugtraq code can DoS it).
There's a time and place for security appliances, but they're not a cure-all. Some of the brands (I'm actually a fan of Watchguard for small businesses) do great work blocking malicious web and email traffic, but the stability and security are still far from perfect.
Mooniacs for iOS and Android
I kinda work in "the industry" and here's my $0.02:
First, a good setup would involve a completely standard desktop solution. From hardware to software, everything needs to be, pretty much, identical. That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin". This should remain hidden/disabled for 99% of the users. Only unlock it when someone shows they need to have admin for some reason.
Next, you need to have good user controls. The user should not be able to save files on their local drive. Every desktop should have a shortcut to the SAN/NAS. Every doc they create should be placed there. The SAN/NAS would be backed up daily.
The desktop should include a firewall. Only 80 and 443 should be open for outgoing. Incoming should have RDP or VNC open for admins to get in. There should be an icon on the desktop with the computer's name and IP address so that the user does not spend an hour reading the label off the back of the PC.
On the e-mail side. Attachments should not be allowed. Internally, there should be a "dump" directory on the SAN/NAS. Idealy, groups would have their own dump area within that group's directory. The dump directory would be deleted every night prior to backups.
HTML e-mail would be allowed, but images would be stripped.
The network center's setup should be as bulletproof as possible. Every server should run a firewall and only allow what is needed. And then, lock them to the IP address ranges they need to connect to.
Webmail would be blocked at the proxy server. We provide you an e-mail for official use. If you want to get your webmail, forward that to your work addy where we at least get a chance to strip attachments, bugged images, and phishing attempts.
Last but not least, have a good contengency plan. We all know about trojans, phishing, bad attachments and the like. But what's the next internet wildfire? For everything you can think of, there are probably 10 things you can't. Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS. Have a plan for fire and earthquakes/floods. Have a few spare desktops with the standard install already done for when a user borks their setup. Have help files on the desktop for things like setting up outlook and mapping SAN/NAS drives.
Remember that it's all a matter of usability vs. security. I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.
I'd rather you do it wrong, than for me to have to do it at all.
4 pages to say defense in depth? Any person who's spent a little time reading about security on the internet could tell you that. Heck, with a touch of extrapolation, combined forces has been used for how long? A couple thousand years?
I agree with the poster above who said like it sounded like an ad for an all in one appliance. It spends the first page putting down best of breed security means, then says we need to use best of breed ones, only under this new definition. It ignores that these all in one solutions generally have the cost of integration factored into the cost of the very expensive product. It talks about the changing security environment, trying to pump up your fear, but it totally ignores insider threat, which constitute the larger chunk of threat.
Essentially, this is a document for security managers, not for anyone on the ground, so to speak. The language is unnecessarily obtuse and ornate.
-- Who is the bigger fool? The fool or the fool who follows him? --
When you install software, it tells you its installing, and goes into the installed directory so you can browse every piece of software installed on your computer... Instead of letting software designers put their software everywhere they feel like hiding it on your harddrive and registry. Yes I'm looking in your direction windows. Power to the user, less abusive power to the developer.
God spoke to me.
Usually, there's not enough to read, but at 10 PM on a weeknight, the last thing I want to do is read something that long. Thanks for telling me that I don't need to read it.
Don't thank God, thank a doctor!
In summary, an article pitching 'unified threat' appliances, written by the VP Marketing of a vendor for same, in conjunction with a coin operated analyst who writes white papers. There is little valuable news or informational content in that article. They don't even bother to back the thrust of their argument with much in the way of facts, just vague assertions that support their points.
Not that I have anything in principle against the concept of unified security management, except for the little matter that security is an emergent property of the entire system under consideration and not something that can be separated out into an external appliance, no matter how nice and easy that might seem. For example, the "emerging threat from viruses" represented in the article is due to choices in system design which egregiously ignore the problems that might result from installing any random blob of data as system software.
Indeed, perimeter security has never been regarded as sufficient, merely convenient. Many uses of networks have no natural perimeter, university campuses for example. The alternative concept of defense in depth has been the subject of ongoing discussion for at least a decade now, but it does require some effort to model what is allowed to communicate with what, and that in turn forces the question of identity. All of that is sort of hard. Not impossible, but you have to think about what you're doing, and maybe stop doing some of the bad stuff. You can't just take a pill to make it go away.
Parity: What to do when the weekend comes.
So this says people should put all their eggs in one basket and that is the proper way to protect the network. It mentions protection at the edge only as being bad, which it is. Then doesn't really come back to that and tries to sell a box that brings to mind a wan,lan,dmz port.
This is lame. Sure it may be running some kind of magical software that knows in advance all of the 0 day stuff better than tipping point. Really though, layered multi-vendor approaches are best. I've had a virus make it through the IPS, mail gateway, the mail server, all the way to the desktop before geting caught by AV. I've had the same thing happen but it wasn't caught by the desktop AV until a day later once the defs updated. That kind-of sucked but it did no real damage running as an unprivileged user and the mail server and gateway probably wouldn't have seen it again, though I assume their defs would find it at that point.
This is for small businesses with no open source knowledge and bad IT. Nothing to see here, move along.
... multi-track drifting, I think we all better hope for the best.
My security solution that handles 95% of what I need is OpenBSD (plus a couple of ports) The documenation is awesome as is the community, and it is built to be proactively secure. Give it a try: http://www.openbsd.org/
Live Free
Ahh, a comprehensive article on security structure written by someone out to sell something. Only one good tag for this story - "markitechture".
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I thought the network was supposed to facilitate business and personal communication. One configured like this looks more like 'walking through a minefield'. How do you ever get a distributed application (think funds transfer between banks) working ? Cash on a motorcycle ?
What email side? You've blocked everything but http and https. POP, IMAP, SMB, NFS etc etc etc etc etc are all blocked.
Deleted
Trite, insipid and banal. I agree that a holistic approach is needed and because of that a 'platform' is only part of the remedy. Apart from stating the obvious, the approach advocated here actually amounts to a view of information security which is curiously not holistic. As is usual, there is no mention of any process involved in information security simply a thinly veiled entreat to buy the snake oil and all will be well. Reader beware if devices are all that is mentioned then question the writers motives.
I would urge investigation of ISO27001 for any organisation. This will give you a framework. The risk analysis process will tell you what you are trying to protect and from what. The business owns the risk and if they accept it your job is done. If mitigation is mandated then you can look for 'platforms' and processes that fulfil your requirement. If your approach is rigourous then you will reduce the risk to an acceptable level for all parties concerned.
Of course, the success of the above relies heavily on skilled technical security professionals capable of acurately identifying threats, vulnerabilities and effective mitigation tactics.
In short, I would rather "blend" the above solution than concentrate on a bunch of boxes stitched together like 'Buffalo Bill' on a Saturday night.
i wish i could write a plain sucked out of thin air
..."
article like that. OMG. it's NOTHING.
this reminds me of high school were we had to write about
"some topic". utterly useless about the content, but if
there were no spelling errors you'd get a "A".
un-freaking believable. at least we know what
"network security officers" really do: practice in
stringing words together. weee...
"the sky is blue. it's raining. i think i need an umbrella.
maybe it will stop raining later. i think i'm getting hungry.
maybe i should eat something. oh, look a puddle of water. i think
i shouldn't step into it. i think that would leave a mess when i
get back home. the air smells so fresh. i hope it's going to stop
raining soo, this umbrealla is getting heavy. should i go for
mc Donals or Burger king. i hope there will still be a seat free.
it was generated by http://pdos.csail.mit.edu/scigen/.
Except in fake papers and speeches by our college president have I heard something simple ( and trivial ) said in so many words.
This article is nothing but crap marketing words designed to confuse the ignorant.
Translation with missinformation: Hackers are now attacking vulnerabilities in applications.
The trueth: Script Kiddies are learning how to attack vulnerabilities in applications thanks to frontend applications like Metasploit.
What they don't know: Hackers designed layers 1-7.
Having to work for a living is the root of all evil.
Build plywood forms around the computer and pour concrete.
Anyone who doesn't know about Bruce Schneier should check out his writings (he has several books out). He thinks to the bottom of things, recursively asking "what's the *real* problem?" until he gets to a real solution. I've tried to follow his example in my security blog for normal people.
It's not even enough to be a security generalist.
After you've studied every facet of security, remember that some attacks come from backhoes and hurricanes. Learn about business continuity. Then instead of getting frustrated when security measures don't work, learn systems safety engineering to understand why. Study finance and risk management so you can have common ground for discussion with C-level managers. Maybe insurance is better than prevention in some cases.
At a very rough guess, I'd say that between the two of us, we could produce a text at least 20-30 (maybe 40) volumes long on what a security expert would need to know. Dunno how much you could add, but I could certainly manage the chapter titles and maybe even a little of the content we've listed so far.
Of course, that does beg another question. Other than manufacturing portable Black Holes, what would anyone do with such a book even if written? It would be unlikely anyone would even try to read it, and I seriously doubt many people - even very bright people - could completely digest a text up to twice the size of the entire Oxford English Dictionary. On the other hand, if something like that were not written, data security won't noticeably improve and ignorance of the scope of the problem will remain.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yeah, the article is clearly marketing hype. All broad brush, loaded with scary terms couched in small technical-sounding (but relatively non-technical paragraphs by some VP of Marketing. Note the use of hanging "and,"s as paragraph breaks, lest some poor, ignorant exec's eyes glaze over at uninterrupted technobabble.
I was rather amused at how the writer(s) sort of lost it, style wise. I found the fact that threat-scape was unquoted the first time it was used (at the end of a paragraph) while it was quoted as if it was a new term the second time it was used, in a short paragraph with yet another awkward transition at the end.
All in all, what impressed me most about the authors is how they must have tried really, REALLY hard to sound knowledgeable but came across looking like wannabes as far as security expertise goes. We all know how well maintaining the appearance of being knowledgable works as far as actually securing systems goes.
*SIGH* Time to reset the BS detector...
FLASH!: I just remembered the image that came to mind when I was reading the article, trying to figure out what the basic message the authors were trying to convey is. Remember the Talking Barbie ads that got the jockey shorts of a few feminists in a bunch several years ago? If so, imagine Barbie whining, "Security is hard!"
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
Nothing!!! Absolutely nothing to see here! This post like http://www.google.com/search?&q=network+security
http://www.michel.eti.br